I recently took SANS FOR508 with Rob Lee in Las Vegas.  It was a great class and I highly recommend it to everyone interested in Digital Forensics.  I’m new to forensics and learned so much from the class.

One of the topics covered is using the srch_strings command from the Sleuth Kit on a filesystem image to obtain not just the strings within the file, but also the byte offset of each string.  This is done using the “-t d” option:

$ srch_strings -a -t d sda1.img
 7208 vmlinuz-2.2.14-5.0
 7336 System.map-2.2.14-5.0smp
 7464 module-info-2.2.14-5.0
 262176 lost+found
 262196 kernel.h
 262212 System.map-2.2.14-5.0
 262244 module-info-2.2.14-5.0

Then, after obtaining the block size of the filesystem using fsstat, we figure out which block each of these strings is in.  For example, this is an image of a filesystem with 1024 byte blocks, so divide each byte offset by 1024:

Block  String
 7     vmlinuz-2.2.14-5.0
 7     System.map-2.2.14-5.0smp
 7     module-info-2.2.14-5.0
 256   lost+found
 256   kernel.h
 256   System.map-2.2.14-5.0
 256   module-info-2.2.14-5.0

During class, I got tired of opening the calculator to figure out these blocks, so I came up with a little one liner to do everything at once:

$ strings -a -t d sda1.img | tee file | awk '{print $1"/1024"}' | bc | paste - file
7       7208 vmlinuz-2.2.14-5.0
7       7336 System.map-2.2.14-5.0smp
7       7464 module-info-2.2.14-5.0
256     262176 lost+found
256     262196 kernel.h
256     262212 System.map-2.2.14-5.0
256     262244 module-info-2.2.14-5.0

Eventually, I got tired of typing that out and turned it into a script after getting back home after class.  I emailed Rob Lee about it and he put me in touch with Hal Pomeranz, who had been working on a similar script.  Hal and I had some other ideas of where this could be taken, and that’s what eventually became srch_strings_wrap.

In a previous post, I gave an overview of the command line options and functionality, so now I’d just like to show some examples. Continue reading →